The Information Commissioner's Office (ICO) has issued a major revision to its statement on Phorm, insisting that the ad tracking system must be deployed on an opt-in basis to comply with the law. Of the three ISPs connected to the scheme, only Carphone Warehouse has committed to opt in when the system is finally rolled out. BT …
Maybe just maybe phorm will vanish up their own ass.
The ICO's New Year's resolution seems to have been "grow a pair".
All well and good but
The article makes no mention of the method of opt out. Will it require a cookie or won't it?
First step in beating Phorm.
Next we need to make sure that the average consumer is as informed as possible, so when BT spouts their "Free phishing protection!" with Phorm in the smallprint, consumers will know what they are really getting.
Cos, if people are forced to choose, hopefully enough them choose to opt out to make Phorm a useless service.
Excellent - good to hear the ICO actually deciding to do what they should be doing without a lot of prompting. Also very good to hear VM sound like they're trying to distance themselves from this bunch of crooks. I really can't be bothered having to move ISP/TV/Phone etc as I'm perfectly/reasonably happy with what I've got. The sooner VM announce they're not going ahead with it, the sooner I can stop pricing up alternatives...
Opt-In Basis Only!!
YES! YES! YES!
See how many muppets they get to opt-in, their "adverisment targeting system" won't be worth a fuckin light now!
Thank you Jeezus (and El Reg)
Yeah, I know...
That's a bit more like the right direction..
Well, I'm available to comment...
And the message stays the same here too.
ANY INTRUSION INTO MY PRIVACY IS NOT WANTED.
I forsee this being tested in the courts, re the RIPA implications, trouble is the damage will be done by then.
I also forsee (yes, I do have a crystal ball. No, THEY'RE both normal and functional, thanks. Any more predictable 'ball' jokes? No? Good.) that sensible subscribers will depart said ISPs in droves (OK. That does not require a crystal ball, that's 'stating the bleedin' obvious')
Am I rambling? (YES!!!!)
Ah, but do I care? Not a jot!
Much like BT et al.
SHOCK ... THE ICO finds a tooth
"BT and Phorm were unavailable for comment."
Thats a first anyway.
Now the ICO has found a tooth, what about an explanation regarding the report last week from the ICO.
Also a question to Phorm, and phormPRteam.
Proof you are lying scum.. The ICO did not endorce your product did they?.
Please visit all the message bords and blogs you posted on with this lie, and say sorry.
And about time too!
So basically what this is telling us is that the original statement by the ICO was written by a drone who didn't bother to ask any searching questions or to give a nanosecond of thought about what Phorm would mean. It looks like all of the pressure brought by El Reg and it's readers is finally bearing fruit!
Paris - because she's now reformed, just like the ICO
Only the first hurdle.. now the law verses BT trials...
Might just opt in..
And be their only customer, just for a goof...
What will likely happen
Is like spammers and other dubious internet scamsters, they just change their name, sell their product to the MD's brother, and startup a new company under a new name, and try the same shit again...
No comment from Phorm?
That's probably because they're in the toilet crapping themselves and realising that their shares will only be good as toilet paper after this
I wonder if:
a. Changing T&Cs (as BT have already indicated they will do) will act as an "explicit opt-in".
b. Phorm / BT / etc will appeal against this and have it overturned. The ICO has already changed its stance, it can change it again.
I hope not, in both cases. Hopefully, there will be a requirement for a user to explicitly agree to a statement along the lines of
"I agree to my ISP and Phorm analysing my browsing habits and storing data regards these, using this data to serve me targetted advertising and other services to be determined in the future. I agree to this being entirely at my own risk, and that my ISP / Phorm cannot be held in any way accountable for the content of said advertising, loss of personal data, installation of malicious software on my computer and / or personal loss."
Let's see how many agree to that?!
(And see whether Phorm's share price can actually go into the negative!!)
...the Bristol to Bath cyclepath was saved from having a chunk of it turned into a bus route a few weeks back I thought that would be the last time the power of people protest did any good in my lifetime; how wrong I was.
What a way to cheer up a dull Wednesday afternoon.
Power to the Geeks!!!
This is excellent news - thanks El Reg and everyone else who's kept this issue at the forefront! Let's keep the pressure on and the awareness up, and make sure this nasty little company dies on its arse.
Very welcome news.
IMHO though - we now need to keep an even more watchful eye on how Phorm/BT et al try to wriggle their way round this.
Interception of Communications Commissioner
20 March 2006
The Prime Minister has approved the appointment of the Right Honourable Sir Paul Kennedy as Interception of Communications Commissioner under the terms of Section 57 of the Regulation of Investigatory Powers Act 2000. Sir Paul's appointment is from 11 April 2006 to 10 April 2009.
Only half the issue has been addressed
What about website owners who don't what their content to be used in this way?
It is their content and their property that is being monetized by Phorm and the ISPs to provide these adverts.
No website I run would allow such use and I would never opt in to such a scheme. If a visitor that happened to be a victim/customer of a Phorm ISP viewed my content (whether they opted in or not) and it was intercepted for analysis then that interception would be unlawful IMHO.
Will Phorm be obeying any form of robots.txt or other search-engine control mechanism?
Interception of Communications Commissioner
So who does the "Interception of Communications Commissioner" actually work for? is it the ICO or the home office??? and who is it these days??
Re - What will likely happen
And we'll all be here waiting.
More on Interception of Communications Commissioner
See here for description of Interception of Communications Commissioner:
A good start
It's about time the ICO realised that a considerable part of this falls under their remit, rather than play the ostrich. It does however mean that some of the questions asked earlier (that as yet remain unanswered) are still relevent.
Going by the ICO's new statement surely this would mean that the only 'legal' way to do this is to split up the ISP's network into Phorm / No Phorm and have the Opt-In/Out on an account level. I'm going by the previous reports published on The Reg and elswhere which seems to point towards the fact (as it stands) that even if opted out of the Phorm system the data is still digested but not profiled.
Surely under ICO's revised statement if you opt-out and your data is still 'digested' regardless surely this is illegal going by what they have said? or am I missing something?
I'd also like the ICO's findings on BT's secret trials and the trials that are about to go ahead to be made public.
Illegal even with opt in
Even if it's opt-in it remains illegal.
A user can't give consent for *my* articles on a *private* section of *my* website to be intercepted.
My own consent is still required, the lawsuits WILL roll.
I was under the impression that Phorm still profiled you even if you do opt out, it just discards that profiling and doesn't send it back to your browser...
Surely this means that even an opt out doesn't satisfy the DPA?
Or have I made this up?
Skull & Cross Bones as that is all that will be left of Phorm...
No comment about whether (without opt in) the data has to be kept away from the system.
Probably too technical for an "open statement", but the issue for me has always been the data flow rather than the advertising.
I did email the ICO a few days back about the earlier trial (from the point of view of a webhost accessed by BT, rather than as a BT customer) but haven't got an answer yet. I've got password protected (but not SSL'd) sections on the website, and U certainly didn't give BT permission to spy on people using it.
I'm still worried
This *should* be f**king fantastic news, but I'm still worried that the ISPs will see this statement as more justification for simply mangling their terms and conditions in such a way that the opt-in/opt-out choice basically becomes one of accepting their terms or not. Which means leaving them if you don't.
Doesn't matter about the opt-out cookies now, if it is strictly opt-in, then phorm/bt/vm etc will have to have something stored against your profile either on the isp end or your pc end to say that you opt-in.
That is assuming that they follow the
"humm, check cookie/profile, no opt in, must have opted out, ignore traffic route via unmonitored route"
and not the
"humm, check traffic, check key words, profile, humm, no opt in, better not send adverts to them, monitor traffic regardless"
Just sent this to Ian Livingstone
Dear Mr Livingston,
As I'm sure you are aware about the issue surrounding Phorm, I will be brief. Please note, before I begin, that I am not a BT customer, and thus was unaffected, but as a concerned member of the public, I am interested in the Phorm case because for me it represents the erosion of consumer rights to allow for greater corporate profits.
I wish to ask you two questions.
Firstly, why did you not inform those who participated in the trial last summer what the reason was for the various problems they encountered? I'm sure I'm not alone when I say I wish that BT had been more forthcoming about this technology, as a leader in the UK broadband industry. I think it sets a dangerous precedent, and am perhaps more concerned that you lied to your customers than the fact that the trial was conducted at all.
The second question I wish to ask is, what is BT planning on doing for those affected customers? In case you are not aware, the Information Commissioners Office has recently declared that Phorm must be opt-in for it to be legal. Thus, last years trial as not legal, as it was not opt-in. I would like to hear your views on this. What plan of action will BT take to mitigate the risk of lawsuits and more negative publicity resulting from the trial being in danger of beign declared outright illegal?
I would appreciate any correspondence.
RIPA rather than PECR or DPA
Reading that statement, it appears that the ICO is distancing itself from the RIPA issues - and telling people to talk to the home office. Which makes the response I got from the home office quite interesting...
The best source of information to guide you further on the issue you raise
would be the Information Commissioners Office, whose website can be found at
http://www.ico.gov.uk/. The site covers a wide range of matters on access to
business information and the protection of personal information.
In all respects , it is not for the Home Office to determine wether BT has
acted illegally or not.
(I've just emailed them again to ask them to explain the fact that they say talk to the ICO, and the ICO says talk to them...)
(apologies for double comment, assuming both get through, I hadn't read all the statement before posting before)
Hold on, hold on....
Yes, a small victory, I grant you. But the problem still remains with the nature of the opt-in arrangement. If Phorm and BT are so closely tied together (as I imagine they would be, as well as other ISP's that have a tight profit margin), wouldn't it seem advantageous for the ISP's to tie the opt-in with their Terms and Conditions? Like, maybe, if you don't want Phorm to monitor your online activities, then you can Phuck off to another ISP. You don't have to agree to use our service, but if you do, this is how it's gonna work. (might not work for current customers, as they would have to agree to a new contract with new T&C's, but for new customers...)
Do we have any protection against something like that? I know that Phorm is a separate company in it's own right and it would be them who have to seek your permission to opt-in, but wouldn't they do it through the ISP to save themselves the time and effort?
re: Only half the issue has been addressed
Strangely enough I have had no response from the ICO about that very subject. I asked them to explain how BT/Phorm planned to ask permission to intercept communications between my website and my customers.
Should I ever get a reply...
Obviously I am pleased to read this story. It is, indeed, another step in the right direction. It's delightful to imagine the cussing and ranting coming from behind K(u)nt Etrugul's office door.
What's more, Vulture Central deserves a night down the boozer for its campaigning journalism on this issue.
But the battle is far from won. Even if Phorm's shares nosedive further or the firm simply gives up the ghost (neither likely) someone someday will step into the breach because too many vested interests - from ISPs and Telcos to security services and governments - will find mass "anonymised" interception and analysis of all port 80 traffic too tempting to resist.
If, in the light of the Information Commissioner's statement, Phorm and its ISP partners have to make the product opt-in they will disguise it as an anti-phishing or anti-advertising feature (as, of course, they already are). That alone should entrap enough tech-illiterate non-Reg readers to make the scheme financially viable. Alternatively they will bury opt-in in their Service T&Cs - and who reads T&Cs carefully in every particular? So the need for widespread publicity is even greater than ever.
We're on the right course to phuck the current Phorm scheme but we aint there yet.
Let the fight continue, comrades - but with even greater vigour!
Aux armes, citoyens!
...hit a low today of £14.25, and it looks like it's going to have its lowest closing price in 52 weeks... currently trading at £14.85, off 10%, with the FTSE up about 4%.
Tragic really. No, really.
Is it worth anyone left with BT opting into the trial?
Just a thought, but if everyone with technical nouse or half a clue opts out of the BT trial, all that will be left are those who believe BT are good and can do no wrong, the BT plants and those who wouldn't know the difference between dialup and ADSL2+
What about some readers here, with that precious half a clue, recording genuine experiences such as failed redirects, pre and intra-trial latencies and speed, etc.
Also, if you opt-out midway through the trial, what happens when your anti-spyware software deletes your Phorm cookie as part of a regular cleanup? Are you re-profiled and do you get any notice that you've been re-profiled?
This is in regard to the ICO's statement's last para:
"In the view of the Commissioner Phorm can operate Webwise and OIX in a way which is in compliance with the DPA and PECR but must be sensitive to the concerns of users. The Commissioner will keep the Phorm products under review as they are rolled out and his view will be strongly influenced by the experience of those users who choose to participate in any trials and the way in which they are able to make that decision. The Commissioner will also continue to be interested in the dialogue between technical experts and Phorm about the way in which the system operates."
If all they get are Phorm/BT success stories from the trial, they'll probably lose their spine again and can legitimately ignore the techy responses from those who haven't any real experience of the nasty bit of stuff.
just my 2p...
Opt-in or .....
I assume the next step for BT is to make the opt-in tick box a requirement in the contract to access the service (or maybe they will just put you a higher price if you don't opt-in). BT is just beyond shame.
"Which means leaving them if you don't."
They need your custom more than we need their spyware and they damn well know it.
They're not implementing Phorm to spy on you, that's just a side-effect. The reason for the implementation is the same reason they do anything and everything - profit. Hit them where it hurts - if the ISP does something you don't like then just find another ISP.
With this in mind, can anybody who has more than a passing interest in law tell me: If BT change the T&Cs to something I can't or won't agree to can I simply end the contract? I'm tied into this contract for another 12 months and would like to know my legal standpoint if BT do decide to implement Phorm.
@All well and good but...
>>The article makes no mention of the method of opt out. Will it require a cookie or won't it?
No, the fact the ICO has stated it is an opt-in, then by default you won't be included; you'll have to specifically 'ask' to be included in the scheme. It could well be that you'll now need a cookie to be included.
What out for false endings ...
I wouldn't call victory yet. They can still hassle you for your opt-in or your ISP could opt-in for you via small print.
Phorm will be looking for ways to regroup and represent their technology.
This is the bit in the movie where the heroes think the monster/robot is dead and drop their guard.
It has just blinked. What are we going to do? Stand around cheering while it slowly gets up behind us or keep kicking, blogging, spreading the word and signing petitions?
They have taken a blow and are on the floor but I don't want Phorm beaten ... I want it dead, sliced, diced, burnt and buried under a motorway bridge (or airport terminal).
Datatheft is supposedly a criminal offence - but not yet something you could be put in jail for - so BT managers may only risk looking forward to a possibility to be fined.
To me there appears to be quite obvious instances of datatheft when intercepting peoples communication data and trawling for data. Not all data in this communication is owned by the customer of a BT account even if it may be included in their communication praxis. As mentioned earlier some of this data belongs to third party. So I would expect that there is much more than meets the eye that might be coming up later. Not only privacy issues and interception as phenomena. Data theft as phenomena arising from Phorm practice has so far as I know not been targeted as a serious issue in this case.
1st Strike for The People VS The Man... errr I mean... Phorm
Still a long road ahead but first blood to us!
Keeping this sucker on refresh too just for the shits and giggles:
I am not a lawyer and I don't have much of a phucking clue about this but...
Hasn't the ICO totally missed the point about Phorm?
"Even if Phorm is not processing personal data..."
They're watching your whole internet connection. "We can see everything" is their sales pitch. I throw down a challenge - send me a month's worth of browsing history and I'll tell you:
1.) Who you are
2.) The town you live in
3.) The type or pron you like
4.) Which banks you use
5.) The newspapers you read and your political persuasion
6.) Your religious interests, if any
7.) The names of your best online friends
8.) Your best friends partners names
9.) If you have any pets
10.) Everything you buy online
11.) Your employer
12.) Your next employer
13.) Your proficiany in spelling
14.) The state of your physical and mental health
15.) If you're over weight
16.) What your foot size is
One small step.
Well this seems like a good first step but there is some way to go yet.
First in relation to Richard Buxton's comment about whether opt-out cookies will be required. Surely if the ICO declares that the system must be 'opt-in' then Phorm & ISPs must use 'opt-in' cookies (if using them at all).
The ICO ruling is a complete reversal of how the opt-in/out should be managed and this needs to be reflected in the Phorm/ISP process so that it explicitly checks that someone has ticked a box to say "yes I opt in to Phorm", rather than imply it simply because they didn't opt-out.
If a cookie is to be used then it must only be there if a person has opted in to Phorm. We can't have a situation where someone who hasn't opted-in finds that Phorm is tracking them because for-what-ever reason the webwise cookie has been deleted.
This would also seem to be a legal failsafe from the point of view of Phorm and the ISPs: if an opt-in cookie is absent then they won't track a persons activity so no problem, but if an opt-out cookie is absent then they would be tracking activity and if that person hadn't explicitly opted-in then presumably it would be illegal.
Second, as has been mentioned before, there are two parties involved in web-browsing; the person requesting the information and the website that serves it. The ICO is now saying:
"This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users."
it is websites that will be providing this 'traffic data'. There is very little mentioned about how 'opt-in' consent from website owners is going to be handled? I see no reason why my websites should be used to make money for somebody else.
Haven't discussed PECR with ICO yet?
Funny, I seem to recall statements from both Phorm and BT that they had fully investigated the law with regards this technology and after receiving professional advice (from a QC none the less) they were confident they were well within the bounds of the law.
So we have an unnamed QC who doesn't understand what PECR is or what it means with regards Phorm. Furthermore it shows yet again that Phorm and BT have failed dramatically with regards to due diligence on this technology given they have not even discussed PECR (an EC Directive) with ICO.
The sad thing is, I as an undergraduate and limited experience in law, not to mention even more limited resources; was able to interpret the implications under PECR almost an entire week before our well resourced IC picked up on the same arguments.
Maybe I should apply for a job as IC as I clearly have more knowledge and understanding of the Directive the current IC is supposed to enforce. I would be happy to take up the role should Mr Brown wish to contact me with a proposal.
What was the share high? I want to gloat at the difference, and you want to post it, admit it!
Hi, PhormPRTechPRTeam here...
We still believe that we conform to the highest possible data protection standards because we have still got our heads so far up our own arses that we have no comprehension of the real world anymore. I mean, the normal versions of the DPA and RIPA are for other people, surely?
We wish that you would all stop being so mean to us - we had a really good idea to make shitloads of cash. OK, so it's illegal, unethical and underhanded but BT _really_ like the idea, presumably because they have the same ethics as us! And BT are a really caring, sharing company. No, honestly they are. You all know that.
Now, about those BT trials that we haven't talked about yet.
They were not illegal because at the time we didn't think anyone would mind that we were intercepting data transmissions without permission - and also, as we have stated many, many times, the versions of the DPA and RIPA that everyone else abides to do _not_ apply to either us or BT. (By the way, thanks for that, Patricia! Your new boat is on the way!)
Now, lets address the issues from the ICO and opt-in.
We will be working closely with BT's legal department to ensure that the changes to your Terms and Conditions will be clearly stated on page 935 of your updated Conditions and Terms. And, of course, there is the cookie.
So no problem there.
Any more questions, please feel free to email me at fuckwit.phormPRTechPRTeam@phorm.com
Phank phuck for phat
This is great news for the technically literate. Unfortunately it's pretty obvious that BT will now market this to the other 99% of its customers as an anti-phishing device unless it is compelled by the ICO to make very clear that it works via data interception... and this is bloody unlikely.
So it's probably up to the informed media (so that's the techno-illiterati at the BBC out) and competing ISPs to publicise this behaviour.
Other relevations of PECR
Section 6 is also relevant:
"1. Subject to paragraph (4), a person shall not use an electronic communica-
tions network to store information, or to gain access to information stored,
in the terminal equipment of a subscriber or user unless the requirements of
paragraph (2) are met.
2. The requirements are that the subscriber or user of that terminal equipment
(a) is provided with clear and comprehensive information about the purposes
of the storage of, or access to, that information; and (emphasis added)
(b) is given the opportunity to refuse the storage of or access to that infor-
Also Section 8 adds weight to the requirements of consent:
"Processing of traffic data in accordance with regulation 7(2) or (3)
shall not be undertaken by a public communications provider unless the
subscriber or user to whom the data relate has been provided with infor-
mation regarding the types of traffic data which are to be processed and
the duration of such processing and, in the case of processing in accor-
dance with regulation 7(3), he has been provided with that information
before his consent has been obtained."
And Section 27 would seem to address the issue of whether or not BT can circumvent the requirement for explicit consent by simply changing their terms and conditions:
"To the extent that any term in a contract between a subscriber to
and the provider of a public electronic communications service or such
a provider and the provider of an electronic communications network
would be inconsistent with a requirement of these Regulations, that
term shall be void."
Looks like the BT Trials of 2006/2007 are going to get shafted by the PECR...
I'll get my coat ;)
June last year Phorm traded as high as £35.80.
Google Finance is pretty good for share price charts, and Interactive Investor (www.iii.co.uk) is pretty good if you want to laugh at the amateur traders who bought in not knowing a thing about the technology and assuming that tech + currently increasing share price = profit forever.